|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-0: systemd: status of /usr/share/polkit-1/rules.d/systemd-networkd.rules | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Matthias Gerstner <matthias.gerstner> |
| Component: | Security | Assignee: | Matthias Gerstner <matthias.gerstner> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | fbui, security-team |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1125314 | ||
|
Description
Matthias Gerstner
2019-02-14 11:29:46 UTC
(In reply to Matthias Gerstner from comment #0) > As explained in bug 1125314 we are currently reviewing all rules files > installed in /usr/share/polkit-1/rules.d. systemd installs the file > /usr/share/polkit-1/rules.d/systemd-networkd.rules. > > This file allows the user 'systemd-network' to perform any of the following > polkit actions without password entry: > > - org.freedesktop.hostname1.set-hostname > - org.freedesktop.timedate1.set-timezone > > Since this file does not start with a suitable number prefix it is currently > ineffective, because our polkit-default-privs take precedence. Indeed. > Can you tell in which context this systemd-network user requires these > actions? It's used by systemd-networkd in case hostname is received from the DHCP server. Similarly the timezone can be received from the DHCP server and if user explicitly allowed it, see man systemd.network. > Which process is running as this user? Service "systemd-networkd" is run as this user. > I couldn't find any in my running Tumbleweed installation. By default systemd-networkd is not enabled (wicked is the default network manager). > > It could be that some feature is broken due to this rules file not being > effective. We should review the security implications and either rename this > file to something like '20-systemd-networkd.rules' and then whitelist it. Or > if it is not strictly needed we should remove or move the file to > /usr/share/doc as an example file. I think we should rename the polkit rule file as systemd-networkd might need to set hostname/timezone as described above. Thank you for the information. I agree that we should make this rules file usable. I will conduct a review of the relevant parts of the daemon and then whitelist it. So the plan is to whitelist networkd accesses in the default polkit rule file ? Or should systemd-networkd.rules be renamed so it takes precedence over the default rules ? The downside of the former is that we can easily miss new method access. (In reply to fbui@suse.com from comment #3) > So the plan is to whitelist networkd accesses in the default polkit rule file ? I am about to introduce a new type of whitelisting for these rules files. It will be independent of the current polkit-default-privs. > Or should systemd-networkd.rules be renamed so it takes precedence over the > default rules ? We will do both, rename the file so it takes precedence and this new name will have to be whitelisted so you don't get any rpmlint errors in the future. Ok I see, let me know when I should rename the rule file, thanks. Okay I had a look into the systemd code. systemd-networkd runs as system-network user per declaration in its .service file. It then calls D-Bus methods from hostnamed or timectld respectively. Those daemons then perform the usual polkit verification logic and ask the polkitd in turn for authorization. Polkit wise everything should be handled okay. You can start renaming the rules.d file to carry a prefix like 60-. The new whitelisting mechanism is about to hit Factory in a while. For the moment it only generates rpmlint warnings, no errors or badness. Once the check is in place I will add a whitelisting for the newly named file. Matthias, FYI, the rule files has been renamed, see https://build.opensuse.org/package/rdiff/Base:System/systemd?linkrev=base&rev=1057 (In reply to fbui@suse.com from comment #7) > FYI, the rule files has been renamed Thank you, I will add it to the whitelisting mechanism once everything has made it to Factory. The new rpmlint-check is active by now in Factory and generates a warning for files in rules.d directories not yet whitelisted. Since everything should be in place I've whitelisted this systemd rules file and it is on its way to Factory via sr#685391. Please note that the new whitelisting mechanism is quite strict and also verifies the file's content. This means if the content changes we will need a follow-up review. This should conclude this bug. If you have an issues, simply reopen. Thank you for your help in implementing this. This is an autogenerated message for OBS integration: This bug (1125438) was mentioned in https://build.opensuse.org/request/show/685391 Factory / polkit-default-privs |